RedBoot
RedBoot is a ransomware that runs on Microsoft Windows. When executed, it will encrypt files on the computer, replace the Master Boot Record of the system drive. As the ransomware does not provide a way to input a key to restore the MBR and encrypted files, unless the ransomware developer has a bootable decryptor, this malware is deemed to be a wiper. Details When the RedBoot ransomware is executed, it will extract 5 other files into a random folder in the User Profile folder of the current user. These files are boot.asm, assembler.exe, main.exe, overwrite.exe and protect.exe, and are described below: *assembler.exe - This is a renamed copy of a legitimate assembler called NASM, that is used to compile the boot.asm assembly file into the malware Master Boot Record boot.bin file. *boot.asm - This file is an assembly file that has been compiled into the new MBR of the infected machine. *boot.bin - When the boot.asm has been compiled by assembly.exe, it will generate the boot.bin file. *overwrite.exe - This program is used to overwrite the existing master boot record, or MBR, with the newly compiled boot.bin file. *main.exe - This is a user mode file encryptor that will encrypt the files on the computer. *protect.exe - This executable will terminate and prevent various programs from running. This includes Task Manager (taskmgr.exe) and Process Hacker. Once the files are extracted, the main launcher will now execute the following command to compile the boot.asm file into the boot.bin file: UserProfile\70281251\assembler.exe" -f bin "UserProfile\70281251\boot.asm" -o "UserProfile\70281251\boot.bin" Once boot.bin has been compiled, the launcher will delete the boot.asm and assembly.exe files from the computer. It will then use the overwrite.exe program to overwrite the computer's current Master Boot Record with the compiled boot.bin using this command: "UserProfile\70945836\overwrite.exe" "UserProfile\70945836\boot.bin" The launcher will now start the main.exe program, which will scan the computer for files to encrypt. This program will also launch the protect.exe program in order to block programs that may be used to analyze or stop the infection. While main.exe is encrypting files, it will encrypt files and it will append to them the .locked extension onto each encrypted file's filename. When it is done performing the file encryption, it will reboot the computer and instead of starting Microsoft Windows, the MBR will instead display a ransom note being generated by the new Master Boot Record. This component will encrypt every file with these extensions, in the Desktop folder, in the Downloads folder, in the Music folder, in the Pictures folder and in the Videos folder in the current User Profile folder. .aif .aifc .aiff .asf .asx .au .bas .bat .bmp .cmd .com .config .cpl .dib .doc .docx .dot .dvr-ms .emf .exe .gif .hta .htm .html .ico .ini .ivf .jfif .jpe .jpeg .jpg .m1v .m3u .mht .mid .midi .mp2 .mp2v .mp3 .mpa .mpe .mpeg .mpg .mpv2 .msilnk .pdb .pdf .pif .png .pot .pps .ppt .pptx .reg .rle .rmi .rtf .scr .search-ms .snd .tif .tiff .txt .vb .wav .wax .wm .wma .wmf .wmv .wmx .wvx .xbap .xls .xlsx .xlt .xlw .xml .xps .zip This ransom screen will instruct the victim to send their ID key to the developer at redboot@memeware.net in order to get payment instructions. This malware doesn't encrypt MFT, thus, making the MBR payload a message (that can be fixed by using the fixmbr C:'' ''command). While this ransomware is brand new and still being researched, based on preliminary analysis it does not look promising for any victims of this malware. This is because in addition to the files being encrypted and the MBR being overwritten, preliminary analysis shows that this ransomware may also be modifying the partition table without providing a method to restore it. This means that even if the victim contacted the developer and paid the ransom, the hard drive may not be recoverable, thus, making it a wiper trojan. Media Category:Ransomware Category:Microsoft Windows Category:Win32 Category:Win32 ransomware Category:Wiper Category:Win32 wiper